<p>Configuring TLS is essential for <a href="#root/_help_WOcw2SLH6tbX">server installation</a> in
  Trilium. This guide details the steps to set up TLS within Trilium itself.</p>
<aside
class="admonition tip">
  <p>While Trilium supports HTTPS on its own, it's generally a good idea to
    use a <a href="#root/_help_vcjrb3VVYPZI">reverse proxy</a> instead with TLS
    termination. You can follow a <a href="https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04">guide like this</a> for
    such setups.</p>
  </aside>
  <h2>Obtaining a TLS Certificate</h2>
  <p>You have two options for obtaining a TLS certificate:</p>
  <ul>
    <li><strong>Recommended</strong>: Obtain a TLS certificate signed by a root
      certificate authority. For personal use, <a href="https://letsencrypt.org">Let's Encrypt</a> is
      an excellent choice. It is free, automated, and straightforward. Certbot
      can facilitate automatic TLS setup.</li>
    <li>Generate a self-signed certificate. This option is not recommended due
      to the additional complexity of importing the certificate into all machines
      connecting to the server.</li>
  </ul>
  <h2>Modifying <code>config.ini</code></h2>
  <p>Once you have your certificate, modify the <code>config.ini</code> file
    in the <a href="#root/_help_tAassRL4RSQL">data directory</a> to configure
    Trilium to use it:</p><pre><code class="language-text-x-trilium-auto">[Network]
port=8080
# Set to true for TLS/SSL/HTTPS (secure), false for HTTP (insecure).
https=true
# Path to the certificate (run "bash bin/generate-cert.sh" to generate a self-signed certificate).
# Relevant only if https=true
certPath=/[username]/.acme.sh/[hostname]/fullchain.cer
keyPath=/[username]/.acme.sh/[hostname]/example.com.key</code></pre>
  <p>You can also review the <a href="#root/_help_Gzjqa934BdH4">configuration</a> file
    to provide all <code>config.ini</code> values as environment variables instead.
    For example, you can configure TLS using environment variables:</p><pre><code class="language-text-x-trilium-auto">export TRILIUM_NETWORK_HTTPS=true
export TRILIUM_NETWORK_CERTPATH=/path/to/cert.pem
export TRILIUM_NETWORK_KEYPATH=/path/to/key.pem</code></pre>
  <p>The above example shows how this is set up in an environment where the
    certificate was generated using Let's Encrypt's ACME utility. Your paths
    may differ. For Docker installations, ensure these paths are within a volume
    or another directory accessible by the Docker container, such as <code>/home/node/trilium-data/[DIR IN DATA DIRECTORY]</code>.</p>
  <p>After configuring <code>config.ini</code>, restart Trilium and access the
    hostname using "https".</p>
  <h2>Self-Signed Certificate</h2>
  <p>If you opt to use a self-signed certificate for your server instance,
    note that the desktop instance will not trust it by default.</p>
  <p>To bypass this, disable certificate validation by setting the following
    environment variable (for Linux):</p><pre><code class="language-text-x-trilium-auto">export NODE_TLS_REJECT_UNAUTHORIZED=0
trilium</code></pre>
  <p>Trilium provides scripts to start in this mode, such as <code>trilium-no-cert-check.bat</code> for
    Windows.</p>
  <p><strong>Warning</strong>: Disabling TLS certificate validation is insecure.
    Proceed only if you fully understand the implications.</p>